2.8.4 Is Out, Better Upgrade

If you haven’t heard the news, WordPress 2.8.4 has been released to fix another security/annoying issue that was discovered the other night. According to the announcement, this is what happens:

a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

I was very surprised to see an email show up in my inbox letting me know what my new password was to log into WPTavern.com. Once I discovered what the problem was, I fixed it by uploading the patched WP-Login.php file as suggested by Matt Sivel and a few others in the WordPress Developers IRC channel. That fixed the issue. There has been a bit of a debate on whether this is really a security vulnerability or not but one things for sure, it is highly annoying. Glad to see it fixed in short order. You’ll never hear me complaining about too many WordPress upgrades when it comes to stuff like this.

There is such thing as too many upgrades at one point. I rather have less frequent upgrades that are very well tested than having an upgrade everytime I change my boxers.

There are many tech directors like me who admin MANY websites. I admin a lot of sites for non-profit/community groups, and I have to be very careful on changes (upgrade = change).

These many upgrades can also be turned to a lack of checking out vulnerabilities…like when 2.8.0 came out, then when .1/2/3/4 comes out, then all these “small” fixes get added, why were they not checked over when the main big brother (2.8.0) came out? I am sure Matt and others check for bugs but they missed at least 4 (I will give them the benefit of thinking that .1-.4 each fixed ONE bug). If I see 2.8.5 come out anytime between now and Sep 1 (my birthday) then I will be loosing some trust on the safety/security checks on WordPress.

If there’s not already, there should be a plugin that automatically triggers upgrades when you login. Then the complainers wouldn’t have to worry about all the updates. Sure it would be risky, due to the chance of problems, but I think some people are willing to take that risk… Doesn’t the automatic upgrade have some safety measures anyway?

Miroslav, this login problem has been there for years, it’s just no one has noticed it until now. If this had been told to us in the 2.7 branch, we would have had to do a release then. There was nothing more or less tested about 2.8 than previous releases.

@Matt if this bug has been around since 2.7, then one must assume that WP development considered the issue to be minor, in order to have not been fixed quite some time ago. Which leads to questions like: why is it considered serious enough now to warrant a fix with a new 2.8.x release? And if it warrants a new release now vs. just rolling it into a future major release, it makes it look like something more serious had been “back-burnered” when it shouldn’t have been?

@Spamboy – You assume that everyone knew. When you read the code, everything looks good. Even when this problem was discussed on the Hackers list, some people didn’t see the problem when shown the code and the way to exploit the problem.

Thus, no one noticed it, and it wasn’t readily recognizable by doing a basic review of the code. However, this is something that is so readily exploitable that people were already doing it to numerous sites, this one included. It would have been extremely careless of the WordPress devs to not issue an immediate fix.

There was nothing more or less tested about 2.8 than previous releases.

and to me, that’s the problem. You’ve had 4 releases in less than 5 weeks. One because the developers admittedly just missed a few places where a known vulnerability existed, and this one which apparently was actually a vulnerability for quite some time.

Maybe with the recent track record of releases there SHOULD be more testing going on. A lot of people are getting sick of updating their sites so frequently and if you don’t want to start losing users to other platforms that at least appear to be more stable, action needs to be taken.

Acting like nothing’s wrong isn’t what most of us want to hear right now.

@Chris Thanks for the additional information from the hackers list (which I do not particpate in, and hence wasn’t privy to). I do assume everyone knew from Matt’s comments — “been there for years, it’s just no one has noticed it until now” sounds at first read that it wasn’t addressed until someone outside of development brought it up.

@Joss See above reply. I see what you are talking about now.

@Ben The only downside is two minor release updates within almost one week of one another. It doesn’t inspire confidence in the general public, although those experienced with WP know things are perfectly fine.

@Ben Cook – IMHO, I would rather see frequent releases as soon as security exploits are found rather than only major releases or even infrequent releases when batches of problems have been fixed.

I think the problem is that people are used to a different type of update schedule. One where known problems exist for weeks, months, or years even, and the developer does little or nothing to fix the problem.

I don’t know why someone would see frequent security patches and think “scary” or “unstable”. They should think that when they see a lack of frequent security patches. I certainly don’t want the perception of security and stability from Joe Webmaster determining the release cycle of WordPress.

It is important to remember that there isn’t such a thing as code without bugs. No amount of pouring over the code will catch everything. Even code launched into space on probes and satellites is often immediately found to have bugs. Thus, the best course of action is to be swift with patch releases when problems are found. Of course, it would be great if the software easily handled upgrades in order to make this update process relatively-simple and fast. Fortunately enough, that’s been taken care of as well.

Note that I’m not claiming that the level of testing is sufficient. I’m merely stating that the fact that we are up to 2.8.4 doesn’t mean that the level of testing is not sufficient.

One thing that will make WordPress the leading CMS for quite a while is the ease of upgrading and the speed at which they release updates related to security. After mucking with Joomla for the last 4 years, WordPress is a breath of fresh air.

Regular users running 2.8.x are still worried about the upgrade process. I made a video Wednesday showing people how to upgrade but they still balk.

@Chris Jean I work in a corporate environment and promote the use of WordPress within said environment. Frequent software updates which are not scheduled/expected does nothing to increase their confidence in any software suite, where having a dependable product — or the fallback of immediate, tremendous support — is of utmost importance. As I mentioned before, I know that WordPress is well-crafted and all known scenarios are tested; my corporate overlords are not as easily convinced. Hence, why frequent updates are “scary”, at least to them.